topic Re: Add time in search string in Splunk Search

Add time in search string

vik123ash — Tue, 27 Feb 2018 03:14:56 GMT

Hi All,

i want to add time in search string.

My data is showing time 26-02-2018T02:00:00.000+0000, but while searching i want to add 11 hour , means it should create filter for time 27-02-2018T13:00:00.000+0000.

Also after this i also want to apply substring on time to just show dates.

i am using below one, but its not working.

index=XXXXXX source="XXXXXX" |eval host=add(Date,+11) | eval hostgroup=substr(Date,1,10) | stats count(Date) by hostgroup

Please help.

Vikash

Re: Add time in search string

p_gurav — Tue, 27 Feb 2018 04:04:14 GMT

Hi,

This may be helpful for you:

index=XXXXXX source="XXXXXX" |eval date=strftime(Date, "%d-%m-%Y %H:%M:%S.%3N%z") | eval date1=date+39600 | eval  hostgroup =strptime(date1, "%d-%m-%Y") | stats count(date) by hostgroup

Re: Add time in search string

vik123ash — Tue, 27 Feb 2018 04:32:28 GMT

@p_gaurav

Thanks for your quick reply.

Query is not provding any output.

Re: Add time in search string

p_gurav — Tue, 27 Feb 2018 04:35:58 GMT

Hi,

can you tell me output of this:
index=XXXXXX source="XXXXXX" |eval date=strftime(_time, "%d-%m-%Y %H:%M:%S")

Re: Add time in search string

vik123ash — Tue, 27 Feb 2018 04:49:00 GMT

I have too many date fields, out of which i want to create filter for one of the date field. i am not sure if _time will help here.

Below is the date field on which i need to execute the query.
CDate: 2018-02-27T03:55:28.000+0000

Re: Add time in search string

vik123ash — Tue, 27 Feb 2018 05:44:46 GMT

Hi @p_gaurav

We are getting output 0 though we have non-zero value.

Re: Add time in search string

p_gurav — Tue, 27 Feb 2018 06:17:34 GMT

Try this:

index=XXXXXX source="XXXXXX" |eval date=strptime(CDate, "%d-%m-%Y %H:%M:%S.%3N%z") | eval date1=date+39600 | eval hostgroup =strftime(date1, "%d-%m-%Y") | stats count(CDate) by hostgroup